My team recently discovered that the policy audit log only includes actions taken on policies and does not include roaming client or site configuration changes, or perhaps more importantly, changes to the universal allow and block lists.